Is Your Brokerage Ready for Mandatory PCI Compliance?

by Guest Contributors
  • The General Manager of SafeCharge Israel talks about the new payment regulation challenges faced by online merchants
Is Your Brokerage Ready for Mandatory PCI Compliance?
Photo: Bloomberg
Join our Telegram channel
Shemer Katz, General Manager, SafeCharge Israel

Shemer Katz, General Manager, SafeCharge Israel

On the 1st of June 2015, the new PCI (Payment Card Industry) 3.0 standard became mandatory and all merchants are expected to move to the new standard.

All online merchants who process, transmit or store customer credit cards need to comply with the Payment Card Industry Data Security Standard (PCI DSS, or as its more commonly known PCI Compliance ), which is a complex and demanding set of requirements for payment data protection.

For online merchants who manage their own PCI compliance, this can be time consuming and risky, as holding customers’ credit card details on file makes them more vulnerable to malicious hackers. If PCI compliance is outsourced, there are no credit card details on its system as all the card data is processed and stored by a third-party provider, so minimising the liability of their compliance responsibilities.

Outsourcing reduces or eliminates PCI scope, and minimising scope is the simplest way for a merchant to achieve PCI compliance. An outsourced provider should be properly certified, and use the latest technology. All of the merchant’s IT infrastructure should be taken out of PCI scope, as any part of the merchant’s IT system which processes, stores or transmits cardholder data comes under PCI regulations.

One of the methods in which an outsource provider can remove a merchant from PCI scope is tokenisation, whereby a customer’s card details (the primary account number – PAN) are replaced by a token that has no exploitable meaning or value, and takes the place of the card details. With tokenisation, if a hacker were to gain entry to the merchant’s system all he/she would get would be the token, which will be of no use as the hacker has no means of de-tokenisation.

Most of the changes introduced with PCI 3.0 are clarifications and tweaks to existing requirements. The Regulation refinements cover everything from the definition of scope and methods of documentation to new ways of preventing fraud at the point of sale. For merchants who do not outsource their PCI requirements, they will find an ever-increasing amount of their technology systems come under the scope of version 3.0.

It’s not only workstations that handle the credit card data that is included in the scope, it’s now more defined in the regulations that any potentially vulnerable server or workstation that touches the merchant’s network has to be PCI DSS compliant. This extension of the scope has been brought about as a hacker could get into a network by a lesser protected workstation and subsequently gain access to a merchant’s customer data on the supposedly more secure parts of the network.

When deciding on what route to take to be PCI 3.0 compliant, merchants need to consider the following changes to the standards that are now required:

  • A firewall configuration needs to be installed and maintained to protect cardholder data
  • Vendor supplied defaults should not be used for system passwords and other security parameters
  • Stored cardholder data needs to be protected
  • Encrypt transmission of cardholder data across open public networks
  • All systems need to be protected against malware
  • Anti-virus software needs to be regularly updated
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by “need to know”
  • Identify and authenticate access to systems components
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that looks at information security for all staff

Finally, something that is out of a merchant’s control, but ironically still part of the merchant’s liability, is that all third parties handling customer credit card data on behalf of a merchant will be included in the new scope. So outsource to payment providers that have a solid list of clients utilising their descoping solution and that perform continuous maintenance checks in adherence with all PCI standards and updates.

This article is part of the FinanceMagnates Community project. If you wish to become a guest contributor, pleaseapply here.

Shemer Katz, General Manager, SafeCharge Israel

Shemer Katz, General Manager, SafeCharge Israel

On the 1st of June 2015, the new PCI (Payment Card Industry) 3.0 standard became mandatory and all merchants are expected to move to the new standard.

All online merchants who process, transmit or store customer credit cards need to comply with the Payment Card Industry Data Security Standard (PCI DSS, or as its more commonly known PCI Compliance ), which is a complex and demanding set of requirements for payment data protection.

For online merchants who manage their own PCI compliance, this can be time consuming and risky, as holding customers’ credit card details on file makes them more vulnerable to malicious hackers. If PCI compliance is outsourced, there are no credit card details on its system as all the card data is processed and stored by a third-party provider, so minimising the liability of their compliance responsibilities.

Outsourcing reduces or eliminates PCI scope, and minimising scope is the simplest way for a merchant to achieve PCI compliance. An outsourced provider should be properly certified, and use the latest technology. All of the merchant’s IT infrastructure should be taken out of PCI scope, as any part of the merchant’s IT system which processes, stores or transmits cardholder data comes under PCI regulations.

One of the methods in which an outsource provider can remove a merchant from PCI scope is tokenisation, whereby a customer’s card details (the primary account number – PAN) are replaced by a token that has no exploitable meaning or value, and takes the place of the card details. With tokenisation, if a hacker were to gain entry to the merchant’s system all he/she would get would be the token, which will be of no use as the hacker has no means of de-tokenisation.

Most of the changes introduced with PCI 3.0 are clarifications and tweaks to existing requirements. The Regulation refinements cover everything from the definition of scope and methods of documentation to new ways of preventing fraud at the point of sale. For merchants who do not outsource their PCI requirements, they will find an ever-increasing amount of their technology systems come under the scope of version 3.0.

It’s not only workstations that handle the credit card data that is included in the scope, it’s now more defined in the regulations that any potentially vulnerable server or workstation that touches the merchant’s network has to be PCI DSS compliant. This extension of the scope has been brought about as a hacker could get into a network by a lesser protected workstation and subsequently gain access to a merchant’s customer data on the supposedly more secure parts of the network.

When deciding on what route to take to be PCI 3.0 compliant, merchants need to consider the following changes to the standards that are now required:

  • A firewall configuration needs to be installed and maintained to protect cardholder data
  • Vendor supplied defaults should not be used for system passwords and other security parameters
  • Stored cardholder data needs to be protected
  • Encrypt transmission of cardholder data across open public networks
  • All systems need to be protected against malware
  • Anti-virus software needs to be regularly updated
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by “need to know”
  • Identify and authenticate access to systems components
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that looks at information security for all staff

Finally, something that is out of a merchant’s control, but ironically still part of the merchant’s liability, is that all third parties handling customer credit card data on behalf of a merchant will be included in the new scope. So outsource to payment providers that have a solid list of clients utilising their descoping solution and that perform continuous maintenance checks in adherence with all PCI standards and updates.

This article is part of the FinanceMagnates Community project. If you wish to become a guest contributor, pleaseapply here.

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}